Am 07.05.2014 20:41, schrieb Alon Bar-Lev:
Well, take the recent example of openssl issue that was found. Now, imagine that all products that use openssl should have been re-released. I think this is enough to understand how wrong this is.
Exactly, if you want to take this serious, you must provide someone who monitors any upstream project you might include and especially backport security patches, maybe on your own, when talking about "enterprise grade software". So any included hard dependency that will be shipped by ovirt must also be maintainable by ovirt. So it's always a good choice to have as little deps as possible but of course you always have _some_ . Where to draw the line is a very difficult task and should be very well reviewed. -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen